Features
Pricing Technology Roadmap Docs
Sign In
Get Started
English Deutsch Français Italiano العربية

Privacy Policy

Last updated: March 2026

1. Introduction

Maravilla Labs ("we", "us", "our"), based in Basel, Switzerland, operates the Maravilla Cloud platform at www.maravilla.cloud. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our services.

We are committed to protecting your privacy in accordance with the Swiss Federal Act on Data Protection (FADP/nDSG) and the European General Data Protection Regulation (GDPR).

2. Data We Collect

We collect only the data necessary to provide our services:

  • Email address — for account registration, authentication, and transactional notifications.
  • Handle (username) — your chosen public identifier on the platform.
  • Password hash — a securely hashed representation of your password (we never store plaintext passwords).
  • Timestamps — account creation, last login, and activity timestamps.
  • Integration OAuth tokens — if you connect third-party services, we store the encrypted access tokens necessary for the integration.

3. How We Use Your Data

  • Authentication & access control — to verify your identity and manage permissions.
  • Service delivery — to provide, maintain, and improve the platform.
  • Transactional communication — to send account-related emails such as verification, password reset, and invitation notifications.
  • Security & abuse prevention — to detect and prevent unauthorized access and platform abuse.

We do not use your data for advertising, profiling, or any purpose unrelated to the delivery of our services.

4. Legal Basis for Processing

  • Contract performance (Art. 6(1)(b) GDPR) — processing necessary to provide the services you signed up for.
  • Legitimate interest (Art. 6(1)(f) GDPR) — security monitoring, fraud prevention, and platform improvement.
  • Consent (Art. 6(1)(a) GDPR) — where explicitly provided, such as for optional integrations.

5. Data Retention

We retain data only for as long as necessary:

  • Audit logs — 365 days
  • Usage snapshots — 90 days
  • Password reset tokens — 24 hours
  • Invitation tokens — 2 days
  • Account data — retained for the duration of your account and deleted upon account termination, subject to any legal retention obligations.

6. Third Parties

We minimize third-party data sharing. The only external service that processes personal data on our behalf is:

  • Mailgun (EU region) — for sending transactional emails (verification, password reset, invitations). Mailgun processes your email address solely to deliver these messages. Data is processed within the European Union.

We do not use any third-party analytics, advertising networks, or tracking services.

7. Cookies

We use only functional cookies that are strictly necessary for the operation of the platform:

  • Authentication cookie — a secure, httpOnly cookie containing a JWT token for session management. This cookie cannot be accessed by JavaScript and is transmitted only over HTTPS.

We do not use tracking cookies, analytics cookies, or any third-party cookies. No consent banner is required because we only use strictly necessary cookies as defined under ePrivacy regulations.

8. Your Rights

Under the GDPR and Swiss data protection law, you have the following rights:

  • Right of access (Art. 15 GDPR) — obtain a copy of your personal data.
  • Right to rectification (Art. 16 GDPR) — correct inaccurate personal data.
  • Right to erasure (Art. 17 GDPR) — request deletion of your personal data.
  • Right to data portability (Art. 20 GDPR) — receive your data in a structured, machine-readable format.
  • Right to object (Art. 21 GDPR) — object to processing based on legitimate interest.
  • Right to lodge a complaint — you may file a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC) or your local EU supervisory authority.

To exercise any of these rights, contact us at the address below.

9. Data Security

We implement appropriate technical and organizational measures to protect your data:

  • Passwords are hashed using industry-standard algorithms and are never stored in plaintext.
  • Authentication tokens are stored in secure, httpOnly cookies transmitted exclusively over HTTPS.
  • Sensitive secrets and API keys are encrypted at rest using AES-256-GCM.
  • All data is stored on infrastructure operated within Europe.

10. Contact

If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:

Maravilla Labs
Basel, Switzerland
Email: privacy@maravilla.cloud